The key to old Petya versions has been published by the malware author

As research concluded, the original author of Petya, Janus, was not involved in the latest attacks on Ukraine. His original malware was pirated and extended by an unknown actor (read more here). As a result of the recent events, Janus probably decided to shut down the Petya project. Similarly to the authors of TeslaCrypt, he released his private key, allowing all the victims of the previous Petya attacks, to get their files back.

(The author of Petya has been known for previously leaking the keys of his rival, Chimera ransomware – details here).

What exactly happened?

After guessing the password and decrypting the package with the help of openssl, I got the following plaintext:

Congratulations!
Here is our secp192k1 privkey:
38dd46801ce61883433048d6d8c6ab8be18654a2695b4723
We used ECIES (with AES-256-ECB) Scheme to encrypt the decryption password into the "Personal Code" which is BASE58 encoded.

It seems that this is Janus’ private key for all the previous Petyas.

Can it help in case of EternalPetya/NotPetya?

This key cannot help in case of EternalPetya, since, in this particular case, the Salsa keys are not encrypted with Janus’ public key, but, instead of this, erased and lost forever (read more). It can only help the people who were attacked by Petya/Goldeneye in the past.

What is the value added by having this key?

The error in the second version – a.k.a. Green Petya, revealed by me, was not as severe. Yet, it allowed for writing a bruforcer. Thanks to the GPU-based solution implemented by procrash, the process of cracking the Salsa key has been sped up to 3 days.

Higher versions fixed the flaws to an extent making cracking of the Salsa key no longer possible.

Thanks to the currently published master key, all the people who have preserved the images of the disks encrypted by the relevant versions of Petya, may get a chance of getting their data back.

Further research related to the verification of the obtained material and the decryptor is in progress. We will keep you updated, please stay tuned!

Appendix

This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.

July 26, 2016 - Are you a recent victim of ransomware? There is hope today as the keys for the Chimera ransomware have been leaked online. A criminal going by the handle of Janus tweeted one of his competitor's (Chimera) keys in what is big and good news in the ransomware world.